rpms
/
libkcapi
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to upstream version 1.1.0 

This patch also fixes the computation of self-check .hmac files.
Before, fipshmac was used for all binaries but since the hmaccalc tools
use different parameters (SHA-512 instead of SHA-256 and a different
key, this would lead to self-check failures for hmaccalc. The new
post-install script calculates the hmaccalc files using sha512hmac and
other .hmac files using fipshmac.

The parameters for the self-check of the library were also consolidated
upstream to use a single parameter set across tools (the fipscheck
parameters) so that the library is checked correctly by all tools.

I also dropped the kcapi-hasher binary and the hasher subpackage as it
is really useless on its own (and the other hasher tools are always
created as hard links). It would also be impossible to add a universally
correct .hmac file since different tools would check against it with
different parameters.
This commit is contained in:
Ondrej Mosnacek 2018-04-12 15:30:14 +02:00
parent 3440cb3784
commit 955e81c3c4
8 changed files with 465 additions and 2476 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1 +1,3 @@
/libkcapi-1.0.3.tar.xz
/libkcapi-*.tar.xz
/libkcapi-*.tar.xz.asc
/*.src.rpm

39
libkcapi-1.0.3-Makefile_Do_not_clobber_pkgconfig-dir_from_configure.patch
View File

@ -1,39 +0,0 @@
From f2ea3459e4d9e2f989bbc5fa5045bdac1742af9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Sat, 31 Mar 2018 15:28:06 +0200
Subject: [PATCH] Makefile: Do not clobber pkgconfig-dir from configure
---
Makefile.am | 2 +-
configure.ac | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 8e195b6..15eadb1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,7 +24,7 @@ man_MANS =
DOC_TARGETS =
-pkgconfigdir=$(libdir)/pkgconfig
+pkgconfigdir = @pkgconfigdir@
pkgconfig_DATA = libkcapi.pc
if DISABLE_LIB_SYM
diff --git a/configure.ac b/configure.ac
index aa89eef..b9554d1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -122,6 +122,11 @@ if test "$with_lib_kpp" = "yes"; then
fi
PKG_INSTALLDIR
+if test "x$pkgconfigdir" = "x"; then
+ pkgconfigdir = "${libdir}/pkgconfig"
+fi
+AC_SUBST([pkgconfigdir], [$pkgconfigdir])
+
AC_CONFIG_FILES([libkcapi.pc])
AC_OUTPUT

2394
libkcapi-1.0.3-to_master.patch
View File

File diff suppressed because it is too large Load Diff

34
libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch Normal file
View File

@ -0,0 +1,34 @@
From 3a860a5d5231e4912d4611397752f2010467a578 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 16 Apr 2018 19:35:57 +0200
Subject: [PATCH] kcapi-hasher: Fix FIPS self-check always failing
---
apps/kcapi-hasher.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 861db79..a5e9c71 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -583,6 +583,7 @@ static int process_checkfile(const struct hash_params *params,
if (ret >= 0)
ret++;
}
+ checked_any = 1;
} else {
/*
* fipscheck does not have the filename in the check
@@ -591,11 +592,10 @@ static int process_checkfile(const struct hash_params *params,
if (targetfile) {
ret = hasher(handle, params, targetfile,
hexhash, hexhashlen + 1, stdout);
+ checked_any = 1;
goto out;
}
}
-
- checked_any = 1;
}
out:

373
libkcapi-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch Normal file
View File

@ -0,0 +1,373 @@
From 1ce0b18e588e226f4e9dcc3897236ae938b9d4dd Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 10:03:49 +0200
Subject: [PATCH 1/4] kcapi-hasher: Use consistent lib self-check params
Since the various hasher tools use different HMAC parameters (hash,
key) and they all need to check the libkcapi library, it is necessary
to use a consistent set of parameters for the library itself.
This patch changes the behavior to always check the library using the
fipscheck hash and key.
---
apps/kcapi-hasher.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 480a019..1d76e1d 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -611,7 +611,8 @@ static int process_checkfile(const struct hash_params *params,
}
-static int fipscheck_self(const struct hash_params *params, int just_print)
+static int fipscheck_self(const struct hash_params *params_bin,
+ const struct hash_params *params_lib, int just_print)
{
char *checkfile = NULL;
uint32_t n = 0;
@@ -668,7 +669,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
}
if (just_print) {
- ret = hash_files(params, names, 1, 0, 1);
+ ret = hash_files(params_bin, names, 1, 0, 1);
goto out;
}
@@ -678,7 +679,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
goto out;
}
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
if (ret)
goto out;
@@ -710,7 +711,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
goto out;
}
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
out:
if (checkfile)
@@ -1010,7 +1011,8 @@ int main(int argc, char *argv[])
}
}
- if (fipscheck_self(params_self, print_self_hash)) {
+ /* library self-check must be consistent across apps: */
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
fprintf(stderr, "Integrity check of application %s failed\n",
basen);
ret = 1;
From c69e77d4abd5b77a3f396abb816af1df8c9a7733 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 11:59:11 +0200
Subject: [PATCH 2/4] Makefile.am: Properly install checksum files
---
Makefile.am | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index ed724fe..07e2451 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -139,16 +139,25 @@ EXTRA_bin_kcapi_hasher_DEPENDENCIES = libtool
SCAN_FILES += $(bin_kcapi_hasher_SOURCES)
-kcapi_hasher_links = sha1sum sha224sum sha256sum sha384sum sha512sum \
- md5sum fipscheck fipshmac \
- sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
+hasher_links_fc = sha1sum sha224sum sha256sum sha384sum sha512sum \
+ md5sum fipscheck fipshmac
+hasher_links_hc = sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
+hasher_links = $(hasher_links_fc) $(hasher_links_hc)
+
+CHECKSUM_CMD_FC = $(OPENSSL) sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP
+CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
install-exec-hook:
(cd $(DESTDIR)$(bindir) && \
- ($(foreach link, $(kcapi_hasher_links), $(LN) -f kcapi-hasher $(link);)))
+ ($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
if HAVE_OPENSSL
(cd $(DESTDIR)$(bindir) && \
- ($(foreach link, $(kcapi_hasher_links), $(OPENSSL) sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);)))
+ ($(foreach link, $(hasher_links_fc), \
+ $(CHECKSUM_CMD_FC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);) \
+ $(foreach link, $(hasher_links_hc), \
+ $(CHECKSUM_CMD_HC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);):))
+ ($(foreach lib, $(wildcard $(DESTDIR)$(libdir)/libkcapi.so*), \
+ $(CHECKSUM_CMD_FC) $(lib) > $(CHECK_PREFIX)$(lib).$(CHECK_SUFFIX);):)
endif
endif
From a90c618490385d9d6214dd4918dd679b0be0df9f Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 18 Apr 2018 12:17:59 +0200
Subject: [PATCH 3/4] kcapi-hasher: Add -L option for completeness
Since kcapi-hasher also checks the checksum of the libkcapi library, add
-L option to print the checksum of the library.
---
apps/kcapi-hasher.c | 130 ++++++++++++++++++++++++++++++----------------------
1 file changed, 75 insertions(+), 55 deletions(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 1d76e1d..7890060 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -114,7 +114,7 @@ static void usage(char *name, int fipscheck)
const char *base = basename(name);
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
fprintf(stderr, "\nUsage:\n");
- fprintf(stderr, "\t%s [OPTION]... -S\n", base);
+ fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
if (fipscheck)
fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
else {
@@ -123,6 +123,7 @@ static void usage(char *name, int fipscheck)
}
fprintf(stderr, "\nOptions:\n");
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
+ fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
if (!fipscheck)
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
@@ -611,8 +612,13 @@ static int process_checkfile(const struct hash_params *params,
}
+/* self-check modes: */
+#define SELFCHECK_CHECK 0
+#define SELFCHECK_PRINT_SELF 1
+#define SELFCHECK_PRINT_LIB 2
+
static int fipscheck_self(const struct hash_params *params_bin,
- const struct hash_params *params_lib, int just_print)
+ const struct hash_params *params_lib, int mode)
{
char *checkfile = NULL;
uint32_t n = 0;
@@ -626,9 +632,9 @@ static int fipscheck_self(const struct hash_params *params_bin,
void *dl = NULL, *sym;
#ifdef HAVE_SECURE_GETENV
- if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
+ if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
#else
- if (getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
+ if (getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
#endif
fipsflag[0] = 1;
} else {
@@ -660,58 +666,68 @@ static int fipscheck_self(const struct hash_params *params_bin,
}
/* Integrity check of our application. */
- memset(selfname, 0, sizeof(selfname));
- selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
- if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
- fprintf(stderr, "Cannot obtain my filename\n");
- ret = -EFAULT;
- goto out;
- }
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_SELF) {
+ memset(selfname, 0, sizeof(selfname));
+ selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
+ if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
+ fprintf(stderr, "Cannot obtain my filename\n");
+ ret = -EFAULT;
+ goto out;
+ }
- if (just_print) {
- ret = hash_files(params_bin, names, 1, 0, 1);
- goto out;
- }
+ if (mode == SELFCHECK_PRINT_SELF) {
+ ret = hash_files(params_bin, names, 1, 0, 1);
+ goto out;
+ }
- checkfile = get_hmac_file(selfname);
- if (!checkfile) {
- ret = -ENOMEM;
- goto out;
- }
+ checkfile = get_hmac_file(selfname);
+ if (!checkfile) {
+ ret = -ENOMEM;
+ goto out;
+ }
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
- if (ret)
- goto out;
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
+ if (ret)
+ goto out;
+ }
/* Integrity check of shared libkcapi.so file. */
- memset(selfname, 0, sizeof(selfname));
- snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
- KCAPI_MAJVERSION);
- dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
- if (dl == NULL) {
- fprintf(stderr, "dlopen of file %s failed\n", selfname);
- ret = -EFAULT;
- goto out;
- }
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_LIB) {
+ memset(selfname, 0, sizeof(selfname));
+ snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
+ KCAPI_MAJVERSION);
+ dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
+ if (dl == NULL) {
+ fprintf(stderr, "dlopen of file %s failed\n", selfname);
+ ret = -EFAULT;
+ goto out;
+ }
- memset(selfname, 0, sizeof(selfname));
- sym = dlsym(dl, "kcapi_md_init");
- if (sym == NULL || !dladdr(sym, &info)) {
- fprintf(stderr, "finding symbol kcapi_md_init failed\n");
- ret = -EFAULT;
- goto out;
- }
+ memset(selfname, 0, sizeof(selfname));
+ sym = dlsym(dl, "kcapi_md_init");
+ if (sym == NULL || !dladdr(sym, &info)) {
+ fprintf(stderr, "finding symbol kcapi_md_init failed\n");
+ ret = -EFAULT;
+ goto out;
+ }
- strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
+ strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
- free(checkfile);
- checkfile = get_hmac_file(selfname);
- if (!checkfile) {
- ret = -ENOMEM;
- goto out;
- }
+ if (mode == SELFCHECK_PRINT_LIB) {
+ ret = hash_files(params_lib, names, 1, 0, 1);
+ goto out;
+ }
+
+ if (checkfile)
+ free(checkfile);
+ checkfile = get_hmac_file(selfname);
+ if (!checkfile) {
+ ret = -ENOMEM;
+ goto out;
+ }
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
+ }
out:
if (checkfile)
@@ -753,9 +769,9 @@ int main(int argc, char *argv[])
int hmac = 0;
int fipscheck = 0;
int fipshmac = 0;
- int print_self_hash = 0;
+ int selfcheck_mode = SELFCHECK_CHECK;
- static const char *opts_short = "c:uh:t:Sqk:K:vbd:P";
+ static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
static const struct option opts[] = {
{"help", 0, 0, 0},
{"tag", 0, 0, 0},
@@ -765,6 +781,7 @@ int main(int argc, char *argv[])
{"hash", 1, 0, 'h'},
{"truncate", 1, 0, 't'},
{"self-sum", 0, 0, 'S'},
+ {"self-sum-lib", 0, 0, 'L'},
{"status", 0, 0, 'q'},
{"key-file", 1, 0, 'k'},
{"key", 1, 0, 'K'},
@@ -932,7 +949,10 @@ int main(int argc, char *argv[])
params.hashlen /= 8;
break;
case 'S':
- print_self_hash = 1;
+ selfcheck_mode = SELFCHECK_PRINT_SELF;
+ break;
+ case 'L':
+ selfcheck_mode = SELFCHECK_PRINT_LIB;
break;
case 'q':
loglevel = CHK_STATUS;
@@ -998,28 +1018,28 @@ int main(int argc, char *argv[])
}
}
- if (print_self_hash) {
+ if (selfcheck_mode != SELFCHECK_CHECK) {
if (checkfile) {
- fprintf(stderr, "-S and -c cannot be combined\n");
+ fprintf(stderr, "-S/-L and -c cannot be combined\n");
ret = 1;
goto out;
}
if (optind != argc) {
- fprintf(stderr, "-S cannot be used with input files\n");
+ fprintf(stderr, "-S/-L cannot be used with input files\n");
ret = 1;
goto out;
}
}
/* library self-check must be consistent across apps: */
- if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, selfcheck_mode)) {
fprintf(stderr, "Integrity check of application %s failed\n",
basen);
ret = 1;
goto out;
}
- if (print_self_hash) {
+ if (selfcheck_mode != SELFCHECK_CHECK) {
ret = 0;
goto out;
}
From 7b176840ff60bc596a7c80685ef0a81adbc00e4b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 19 Apr 2018 10:39:12 +0200
Subject: [PATCH 4/4] Makefile.am: Do not install kcapi-hasher binary
The kcapi-hasher binary is not usable on its own so it can be removed
after hard-linking the actual hasher tools.
---
Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.am b/Makefile.am
index 07e2451..383da75 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -150,6 +150,7 @@ CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
install-exec-hook:
(cd $(DESTDIR)$(bindir) && \
($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
+ -rm -f $(DESTDIR)$(bindir)/kcapi-hasher
if HAVE_OPENSSL
(cd $(DESTDIR)$(bindir) && \
($(foreach link, $(hasher_links_fc), \

23
libkcapi-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch Normal file
View File

@ -0,0 +1,23 @@
From f8e032f150522c17094e36dcf62ec3ebc77e69d8 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 16 Apr 2018 15:39:03 +0200
Subject: [PATCH] kcapi-hasher: Fix buffer overrun in get_hmac_file
We need to allocate space also for the terminating null character...
---
apps/kcapi-hasher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
index 861db79..2b87a45 100644
--- a/apps/kcapi-hasher.c
+++ b/apps/kcapi-hasher.c
@@ -360,7 +360,7 @@ static char *get_hmac_file(const char *filename)
fprintf(stderr, "File too long\n");
return NULL;
}
- checkfile = malloc(filelen + prefixlen + 1 + suffixlen);
+ checkfile = malloc(filelen + prefixlen + 1 + suffixlen + 1);
if (!checkfile)
return NULL;

71
libkcapi.spec
View File

@ -1,19 +1,13 @@
# Shared object version of libkcapi.
%global vmajor 1
%global vminor 0
%global vpatch 3
%global vminor 1
%global vpatch 0
# Do we build the replacements packages?
%bcond_with replace_coreutils
%bcond_with replace_fipscheck
%bcond_with replace_hmaccalc
%if %{with replace_coreutils} || %{with replace_fipscheck} || %{with replace_hmaccalc}
%global need_hasher 1
%else
%global need_hasher 0
%endif
# This package needs at least Linux Kernel v4.10.0.
%global min_kernel_ver 4.10.0
@ -62,6 +56,9 @@
%global hmaccalc_evr 0.9.14-10%{?dist}
%endif
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
# Add generation of HMAC checksums of the final stripped
# binaries. %%define with lazy globbing is used here
# intentionally, because using %%global does not work.
@ -69,17 +66,28 @@
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%{_bindir}/fipshmac %{buildroot}%{_bindir}/* \
bin_path=%{buildroot}%{_bindir} \
lib_path=%{buildroot}/%{_lib} \
for app in %{apps_hmaccalc}; do \
test -e "$bin_path"/$app || continue \
{ %{_bindir}/sha512hmac "$bin_path"/$app || exit 1; } \\\
| cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \
done \
for app in %{apps_fipscheck}; do \
test -e "$bin_path"/$app || continue \
%{_bindir}/fipshmac "$bin_path"/$app || exit 1 \
done \
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
%{_bindir}/fipshmac %{buildroot}/%{_lib}/libkcapi.so.%{version} \
%{_bindir}/fipshmac "$lib_path"/libkcapi.so.%{version} \\\
|| exit 1 \
%{__ln_s} .libkcapi.so.%{version}.hmac \\\
%{buildroot}/%{_lib}/.libkcapi.so.%{vmajor}.hmac \
"$lib_path"/.libkcapi.so.%{vmajor}.hmac \
%{nil}
Name: libkcapi
Version: %{vmajor}.%{vminor}.%{vpatch}
Release: 10%{?dist}
Release: 1%{?dist}
Summary: User space interface to the Linux Kernel Crypto API
License: BSD or GPLv2
@ -87,8 +95,9 @@ URL: http://www.chronox.de/%{name}.html
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
Patch0: %{giturl}/compare/v1.0.3...master.patch#/%{name}-1.0.3-to_master.patch
Patch1: %{giturl}/pull/48.patch#/%{name}-1.0.3-Makefile_Do_not_clobber_pkgconfig-dir_from_configure.patch
Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
BuildRequires: clang
BuildRequires: coreutils
@ -146,19 +155,10 @@ BuildArch: noarch
User documentation for %{name}.
%if %{need_hasher}
%package hasher
Summary: Common utility for replacement packages
Requires: %{name}%{?_isa} == %{version}-%{release}
%description hasher
Provides a common binary used by the drop-in %{name} replacements for hashing/HMAC tools.
%endif
%if %{with replace_coreutils}
%package checksum
Summary: Drop-in replacement for *sum utils provided by the %{name} package
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Requires: %{name}%{?_isa} == %{version}-%{release}
Requires: coreutils%{?_isa} >= %{coreutils_evr}
@ -173,7 +173,7 @@ Provides drop-in replacements for sha*sum tools (from package coreutils) using %
%if %{with replace_fipscheck}
%package fipscheck
Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Requires: %{name}%{?_isa} == %{version}-%{release}
Obsoletes: fipscheck <= %{fipscheck_evr}
@ -189,7 +189,7 @@ using %{name}.
%if %{with replace_hmaccalc}
%package hmaccalc
Summary: Drop-in replacements for hmaccalc provided by the %{name} package
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
Requires: %{name}%{?_isa} == %{version}-%{release}
Obsoletes: hmaccalc <= %{hmaccalc_evr}
@ -277,6 +277,7 @@ EOF
--enable-kcapi-test \
--enable-shared \
--enable-static \
--enable-sum-prefix=. \
--with-pkgconfigdir=%{_libdir}/pkgconfig
%make_build all doc
@ -299,10 +300,6 @@ EOF
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
# Install replacement tools, if enabled.
%if !%{need_hasher}
%{__rm} -f %{buildroot}%{_bindir}/kcapi-hasher
%endif
%if !%{with replace_coreutils}
%{__rm} -f \
%{buildroot}%{_bindir}/md5sum \
@ -388,12 +385,6 @@ popd
%license %{_datadir}/licenses/%{name}*
%if %{need_hasher}
%files hasher
%{_bindir}/kcapi-hasher
%{_bindir}/.kcapi-hasher.hmac
%endif
%if %{with replace_coreutils}
%files checksum
%{_bindir}/md5sum
@ -420,16 +411,14 @@ popd
%files tools
%if %{need_hasher}
%exclude %{_bindir}/kcapi-hasher
%exclude %{_bindir}/.kcapi-hasher.hmac
%endif
%{_bindir}/kcapi*
%{_bindir}/.kcapi*.hmac
%{_mandir}/man1/kcapi*.1.*
%changelog
* Thu Apr 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-1
- Update to upstream version 1.1.0
* Sat Mar 31 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-10
- Replace single patches with a monolitic one from upstream
- Obsolete replacements subpackage

3
sources
View File

@ -1 +1,2 @@
SHA512 (libkcapi-1.0.3.tar.xz) = 2fe6b4c4129be7c1a9fcfadeaeb7eb9c709bf129574c46014542547787e3b96aadf14a9a17ecadb58968e3e14731f44a9bd20ea47aa3bbc0a3a6327a24a92a65
SHA512 (libkcapi-1.1.0.tar.xz) = 8d7a775a7ac3a16e006cc21a40e0dbc2c068879fb277ef7a96f706aa0a822ee6c29dba59e34a42cc2e3da926ee242fb47b6c1486d846d9028d662bc71e8f25fd
SHA512 (libkcapi-1.1.0.tar.xz.asc) = f2ecc4bc477231a5f2b91476f4d300be32d796cf5f49b0b89e3f5c5735690fe4b6baec3739aa8df99eaac6eac66a63b23ce25e9b16bec17f8748fcac19843968